DMTF’s Redfish a More Secure Alternative to IPMI

Intel has just announced the end of life of Intelligent Platform Management Interface (IPMI). The good news? DMTF Redfish standard API offers a more secure alternative for computer interface specifications that help provision and monitor servers.

In 1998 Intel® broke new ground in the industry with the announcement of their Intelligent Platform Management Interface, or IPMI. IPMI introduced a new way to standardize on provisioning and managing of servers, and in the ensuing years, IPMI was leveraged by many technology vendors, including Hewlett Packard Enterprise (HPE), within both enterprise and midsize business accounts.

We all know that nothing in the world of technology stands still. The computing industry has significantly evolved over the last twenty years, with newer technologies enabling enterprises to reimagine how their businesses can benefit from IT. Recently, Intel announced that IPMI will be set for end of life. That means companies that have based the way they manage servers with IPMI must now look for an alternative. Luckily, such an alternative exists in the form of Distributed Management Task Force (DMTF) Redfish®, an industry standard API designed to deliver simple and secure management for converged, hybrid IT, and Software Defined Data Center (SDDC).

In today's world, with applications and data that create and run our enterprises living in multiple locations, IT security, including governance, compliance and controls, is of paramount importance. Cybersecurity Ventures predicts that cybercrime will cost the world $6.0 trillion annually by 2021, doubling from $3.0 trilion in 2015. This represents the greatest transfer of economic wealth in history, and is even more profitable than the global trade of all major illegal drugs combined. (1) Until now, the focus of IT security has been on protecting software and networks, but with the rise in firmware attacks, corporations and cybersecurity companies are now paying more attention to the hardware threat.

With IPMI set to end of life, companies should look to a more secure solution that provides all the great capabilities of IPMI, without the security risk. In the past, attacks were at the operating system level, but as threats have evolved, we are starting to see more attacks at the firmware and hardware level where IPMI vulnerabilities are much more exploitable. According to the National Cybersecurity and Communication Integration Center (NCCIC), IPMI attackers can leverage IPMI to get physical-level access to servers. Some issues identified include:

Passwords for IPMI authentication are saved in clear text.

Knowledge of one IPMI password gives you the password for all computers in the IPMI managed group.

Root access on an IPMI system grants complete control over hardware, software, firmware on the system.

BMCs often run excess and older network services that may be vulnerable.

IPMI access may also grant remote console access to the system, resulting in access to the BIOS.

There are few, if any, monitoring tools available to detect if the BMC is compromised.

Certain types of traffic to and from the BMC are not encrypted.

There is unclear documentation on how to sanitize IPMI passwords without destruction of the motherboard.

Ruben is the product marketing lead for server software and security at Hewlett Packard Enterprise. He is responsible for messaging and bringing HPE security technologies to market—while providing a comprehensive view across server management, security, and artificial intelligence.